This invention relates generally to computer access control, and more particularly to a process of obtaining user account data in a computer logon procedure.
Ever since the advent of digital computers, access control has been an important topic of computer security. To protect the integrity of computer systems and the confidentiality of important data, various access control schemes have been implemented to prevent unauthorized users and malicious attackers from gaining access to computer resources.
To ensure the comprehensiveness of computer security, access control is often implemented on various levels. For instance, on the level of one computer, a user is typically required to go through a logon procedure in which the computer determines whether the user is authorized to use the computer. In addition, on the level of a computer network, a user is commonly required to go through a user-authentication process for purposes of controlling the user""s access to various network services. Even after the user has been authenticated by a network access control server, the user may still have to request a permit for a specific server in order to access that service. Various schemes based on different protocols, such as the Kerberos 5 protocol, have been proposed and implemented for controlling network access control by means of user authentication.
Generally, the user logon for a computer and the user authentication for network access control are two separate procedures. Nevertheless, to minimize the burden on a user in dealing with the different access control schemes, the user logon and the user authentication for network access are sometimes performed together. For example, in the case where the user authentication is implemented under the Kerberos protocol, when the user logs on the computer, the computer may also initiate a Kerberos authentication process. In the authentication process, the computer contacts a Kerberos Key Distribution Center (KDC) to first obtain a ticket-granting ticket (TGT) for the user. The computer can then use the TGT to obtain from the KDC a session ticket for itself.
Performing the user logon and user authentication for network access control together is desirable from a user""s point of view, because the user does not have to enter her password or other security information multiple times. Nevertheless, due to the extra network access involved, the combined logon and authentication process can take much longer time to complete and are more prone to failure due to network or service failure. There is therefore a need to more effectively combine the logon and user authentication processes to improve the success rate and speed of the combined logon process.
In view of the foregoing, the present invention provides a method and system for an improved combined logon process that utilizes network communications with a network access control server for gaining network access to provide the user""s account data needed for logon. When a user tries to log on a computer, the computer initiates a user-authentication process with a network access control server for purposes of obtaining access to network services, which include the computer that the user intends to log on. During the authentication process, the network access control server queries a directory service for the account data for the user. After obtaining the user""s account data, the network access control server includes the account data in a network access response sent to the computer as part of the network access control process. The computer then retrieves the user account data from the communication packet and uses the data to complete the user logon. The inclusion of the account data in the network access response removes the need for the computer to independently contact another service, such as the directory service, to obtain the account data. The reduction of network communications involved makes the combined logon-authentication process faster and less prone to failure.
Additional features and advantages of the invention will be made apparent from the following detailed description of illustrative embodiments, which proceeds with reference to the accompanying figures.